APPARATUS AND METHOD FOR GENERATING AND VERIFYING ID-BASED 
BLIND SIGNATURE BY USING BILINEAR PARINGS 

Field of the Invention 

5 

The present invention relates to a cryptographic 
system; and, more particularly, to an apparatus and a method 
for generating and verifying an identity(ID) based blind 
signature by using bilinear parings. 

10 

Background of the Invention 

In a public key cryptosystem, each user may have two 
keys, i.e., a private key and a public key. A binding 

15 between the public key (PK) and the identity (ID) of a user 
is obtained via a digital certificate. However, in such a 
certificate-based public key system, before using the public 
key of the user, a participant must verify the certificate 
of the user at first. As a consequence, this system demands 

20 a large amount of computing time and storage because it is 
required to store and verify each user's public key and the 
corresponding certificate . 

In 1984, Shamir (A. Shamir, "Identity-based 

cryptosystems and signature schemes", Advances in 

25 Cryptology-Crypto 84, LNCS 196, pp. 47-53, Springer-Verlag, 
1984.) published ID-based encryption and signature schemes 
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to simplify key management procedures in a certificate-based 
public key setting. Since then, many ID-based encryption 
schemes and signature schemes have been proposed. The main 
idea of ID-based cryptosystems is that the identity 
5 information of each user works as his/her public key, in 
other words, the user' s public key can be calculated 
directly from his/her identity rather than being extracted 
from a certificate issued by a certificate authority (CA) . 

Therefore, - the ID-based public key setting need not 

10 perform following processes needed in the certificate-based 
public key setting: transmission of certificates, 
verification of certificates and the like. The ID-based 
public key setting can be an alternative to the certificate- 
based public key setting, especially when efficient key 

15 management and moderate security are required. 

The bilinear pairings, namely the Weil pairing and the 
Tate pairing of algebraic curves, are important tools for 
research on algebraic geometry. Early applications of the 
bilinear pairings in cryptography were made to resolve 

20 discrete logarithm problems. For example, the MOV (Meneze- 
Okamoto-Vanstone ) attack (using the Weil pairing) and 
FR (Frey-Ruck) attack (using the Tate pairing) reduce the 
discrete logarithm problems on certain elliptic or 
hyperellipt ic curves to the discrete logarithm problems in a 

25 finite field. Recently, the bilinear pairings have found 
various applications in cryptography as well. 
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Specifically, the bilinear parings are basic tools to 
construct the ID-based cryptographic schemes and many ID- 
based cryptographic schemes have been proposed by using them 
Examples of using the bilinear pairings in ID-based 
5 cryptographic schemes include: Boneh-Franklin ' s ID-based 
encryption scheme (D. Boneh and M. Franklin, "Identity-based 
encryption from the Weil pairing", Advances in Cryptology- 
Crypto 2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001.), 
Smart's ID-based authentication key agreement protocol (N . P . 

10 Smart, "Identity-based authenticated key agreement protocol 
based on Weil pairing", Electron. Lett., Vol.38, No. 13, 
pp. 630-632, 2002.), and several ID-based signature schemes. 

In a public key setting, the user information can be 
protected by means of a blind signature. The idea of using 

15 blind signatures was introduced by Chaum(D. Chaum, "Blind 
signatures for untraceable payments", Advances in Cryptology 
Crypto 82, Plenum, NY, pp. 199-203, 1983.), whose idea was to 
provide anonymity of users in such applications as 
electronic voting and electronic payment systems. A blind 

20 signature scheme is an interactive two party protocol 
between a user and a signer. In contrast to regular 
signature schemes, the blind signature scheme allows the 
user to obtain a signature of a message with the signer not 
knowing the contents of the message. The blind signature 

25 scheme plays a central role in constructing anonymous 
electronic cash systems. 
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Several ID-based signature schemes based on the 
bilinear pairings have been developed recently. On the 
other hand, ID-based blind signature system using the 
bilinear parings has not been yet proposed- An ID-based 
5 blind signature is attractive since one's public key is 
simply one's identity. For example, if a bank issues 
electronic cash with an ID-based blind signature, users and 
shops need not fetch the bank's public key from a database. 
They can verify the electronic cash only by the following 
10 information: "Name of Country", "Name of City", "Name of 
Bank" and "this year". 

Summary of the Invention 



15 It is, therefore, an object of the present invention 

to provide a method and an apparatus for generating and 
verifying an identity based blind signature by using 
bilinear parings, which reduces the amount of computing time 
and storage and simplifies the key management procedures. 

20 In accordance with one aspect of the present invention, 

there is provided a method for generating and verifying an 
ID-based blind signature by using bilinear parings, 
comprising the steps of: generating system parameters, 
selecting a master key, and then disclosing the system 

25 parameters by a trust authority; generating a private key by 
using a signer's identity and the master key, and then 
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transferring the private key to the signer through a secure 
channel by the trust authority; receiving and storing the 
system parameters by a user and receiving and storing the 
system parameters and the private key by the signer; 
5 computing a commitment by using at least one of the system 
parameters, and then sending the commitment to the user by 
the signer; blinding a message by using the commitment and a 
public key based on the signer's identity, and then sending 
the blinded message to the signer by the user; signing the 
10 blinded message by using the private key, and then sending 
the signed message to the user by the signer; unblinding the 
signed message by the user; and verifying the signature by 
the user. 

In accordance with another aspect of the present 
15 invention, there is provided an apparatus for generating and 
verifying an ID-based blind signature by using bilinear 
parings, comprising: means for generating system parameters, 
selecting a master key, and then disclosing the system 
parameters by a trust authority; means for generating a 
20 private key by using a signer's identity and the master key, 
and then transferring the private key to the signer through 
a secure channel by the trust authority; means for receiving 
and storing the system parameters by a user and receiving 
and storing the system parameters and the private key by the 
25 signer; means for computing a commitment by using at least 
one of the system parameters, and then sending the 
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commitment to the user by the signer; means for blinding a 
message by using the commitment and a public key based on 
the signer's identity, and then sending the blinded message 
to the signer by the user; means for signing the blinded 
5 message by using the private key, and then sending the 
signed message to the user by the signer; means for 
unblinding the signed message by the user; and means for 
verifying the signature by the user. 

10 Brief Description of the Drawings 

The above and other objects and features of the 
present invention will become apparent from the following 
description of preferred embodiments given in conjunction 
15 with the accompanying drawings, in which: 

Fig. 1A shows a block diagram illustrating an 
interaction, among participants of a blind signature system 
in accordance with the present invention; 

Fig. IB is a block diagram illustrating a process for 
20 generating and verifying a blind signature in accordance 
with the present invention; and 

Fig. 2 describes a flow chart showing an operation of 
the system for generating and verifying an ID-based blind 
signature by using bilinear parings in accordance with a 
25 preferred embodiment of the present invention. 
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Detailed Description- of the Preferred Embodiments 

Fig. 1A illustrates an interaction among participants 
of a blind signature system in accordance with the present 
5 invention. The system includes three participants, i.e., a 
signer 100, a user 200 and a trust authority 300. Herein, 
each of participants of the system may be a computer system 
and may communicate with another remotely by using any kind 
of communications network or other techniques. The 
10 information to be transferred between the participants may 
be stored and/or held in various types of storage media. 

The trust authority 300 generates system parameters 
and selects a master key. Further, the trust authority 300 
generates a private key by using the signer's identity and 
15 the master key. Then, the trust authority 300 discloses or 
publishes the system parameters and transfers the private 
key to the signer 100 through a secure channel. 

The user 200 receives the system parameters which the 
trust authority 300 provides. Then, the user 200 stores or 
20 holds them in a storage media. 

Meanwhile, the signer 100 receives the system 
parameters and the private key which the trust authority 300 
provides. Then, the signer 100 stores or holds them in a 
storage media. 

25 Referring to Fig. IB, a process for generating and 

verifying a blind signature between the signer 100 and the 
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user 200 is shown. The signer 100 computes a commitment by 
using at least one of the system parameters and sends the 
commitment to the user 200. Thereafter, the user 200 blinds 
a message to be signed by using the commitment and a public 
5 key, which is generated by using the signer's identity, and 
sends the blinded message to the signer 100. Then, the 
signer 100 computes a signed value of the message by using 
the private key and sends it back to the user 200 without 
knowing the contents of the message. Finally, the user 200 

10 receives the signed message from the signer 100 and verifies 
the signature. 

Referring now to Fig. 2, a detailed description on a 
method for generating and verifying an ID-based blind 
signature by using bilinear parings in accordance with a 

15 preferred embodiment of the present invention will be 
presented. 

Let G be a cyclic group generated by P, whose order is 
a prime g, and V be a cyclic multiplicative group of the 
same order g. Discrete logarithm problems in both G and V 
20 are considered to be hard. Let e; G x G —> V be a pairing 
that satisfies following conditions: 

1. Bilinear: e(P x + P 2 , Q) = e(P lr Q)e(P 2 , Q) and e (P, 
Qi + Q 2 ) = e(P, Qx)e(P, Q 2 ) or e(aP, bQ) = e(P, Q) ab ; 

2. Non-degenerate: There exists P ^ G and Q ^ G 
25 such that e (P, Q) * 1; and 

3. Computability : There is an efficient algorithm to 
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compute e (P, Q) for all P, Q ^ G. 

During a process of generating system parameters and 
selecting a master key (step 201) , which is performed by the 
trust authority 300, the cyclic groups G and V, order of 
5 each of them being q, are generated. Then P (the generator 
of G) and e; G x G —> V (a pairing of the two cyclic groups 
G and V) are generated. In the present invention, G is an 
elliptic curve group or hyperelliptic curve Jacobians and V 
uses cyclic multiplicative group Z q * . Then, the trust 

10 authority 300 selects an integer s belonging to Z q * as a 
master key and computes P puh = s - P. Additionally, the 
trust authority 300 selects hash functions H: {0,1}* -> Z g * 
and H 2 : {0,1}* -> G. 

Thereafter, the trust authority 300 generates a 

15 private key by using the signer's identity and the master 
key (step 202). Given the signer's identity ID, which 
implies the public key Q ID = Hi ( ID) , the trust authority 300 
returns the private key S ID = s • Q ID . It should be noted 
that the trust authority 300 can have access to the 

20 sensitive private key S ID : To avoid power abuse by the trust 
authority 300, n trust authorities with a (n, n) -threshold 
secret sharing scheme may be used to escrow the master key. 

The trust authority 300 discloses or publishes the 
system parameters. More precisely, the trust authority 300 

25 publishes <G, q, P, P pU br Hi> as the system parameters 

that the signer 100 and the user 200 may share. Further, 
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the trust authority 300 transfers the private key to the 
signer 100 through a secure channel (step 203) . 

The user 200 receives and stores the system parameters 
while the signer 100 receives and stores the system 
5 parameters and the private key(step 204). 

During a process of the blind signature, the signer 
100 randomly chooses a number r ^ Z q * , computes R = r • P, 
and sends R to the user 200 as a commitment (step 205). 

Thereafter, the user 200 randomly chooses a, b ^ Z q * 
10 as blinding factors. The user 200 computes a blinded 
message c described by c = H(m, e (b ■ Q ID + R + a - P, P pU b) ) + 
b (mod q) , where m is a message to be signed. Then the user 
200 sends c to the signer 100 (step 206) . 

Thereafter, the signer 100 sends back a signed message 
15 S described by S = c • S ID + r • P pub (step 207) . 

Thereafter, the user 200 computes S' = S + a • P pub and 
c' = c - b by using the blinding factors the user 200 chose, 
and outputs {m, S', c'j (step 208). Then, (S ' , c') is the 
blind signature of the message m. 
20 During a process of verification (step 209) , the user 

200 makes use of the message m, the system parameters and 
the signer's public key Q ID that the trust authority 300 
disclosed. The signature is acceptable if and only if c' = 
K(m f e(S', P) • e(Q IDr P P ub)~°' • The verification of the 
25 signature is justified by employing the following equations: 
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H(m, e(S', P) • e(Q ID , P pub )- C ') 
= H(m, e(S + aP pub , P) - e (Qj D , P P ut>)~ c ') 
- H (m, e(cS ID + rP pub + <3P pUjb , p; - e (Qjd, Ppub) ~°' ) 
« H (m, e(cS ID , P) • e(rP pub + aP pubf P) - e f Q JD , Ppub/*" 0 '; 
5 = ffftn, efS JD , p; c - e ( fr + a; P pui3/ p; • e (Qxo, P pub ) ~ c ' ) 

= H(m, e(Q ID , P pub ) c -e((r + a)P, P pub ) ■ e (Q 1D , P pub ) ' c ' ) 
= H(m, e (Qjd, P P u b )°~ c ' * e (R + aP, P pub ) ) 
= H(m, e(Q ID , P pub ) b • e(R + aP, P pub ) ) 
= H(m, e(bQ 1D + R + aP, P pub ) ) 
10 - c - b = c'. 

As describe above, the ID-based blind signature scheme 
of the present invention is considered as a combination of a 
general blind signature scheme and an ID-based one. In 

15 other words, it is a kind of blind signature but its public 
key for verification is just the signer's identity. 

The ID-based blind signature scheme can be performed 
with supersingular elliptic curves or hyperelliptic curves. 
The essential operation in the ID-based signature schemes is 

20 to compute a bilinear pairing. The computation of a 
bilinear pairing may be performed efficiently and the length 
of a signature can be reduced by using compression 
techniques . 

Since the scheme of the present invention is based on 
25 an identity rather than an arbitrary number, a public key 
includes one's information, e.g., an email address, that may 
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uniquely identify oneself. In some applications, the 

lengths of public keys and signatures can be reduced. For 
instance, in an electronic voting or an electronic auction 
system, the registration manager (RM) can play the role of 
5 the trust authority. In the registration phase, RM gives a 
bidder or a voter his registration number as his public key 
= { (The name of the e-voting or e-auction system II RM II 
Date li Number), n}. Here, n is the number of all bidders 
or voters. 

10 Further, the blind signature of the present invention 

provides the user's anonymity and non-f orgeability . To 
produce a blind signature, the signer is only required to 
compute three scalar multiplications in G, while the user is 
required three scalar multiplications in G, one hash 

15 function evaluation and one bilinear pairing computation. 

The verification operation requires one hash function 
evaluation, two bilinear pairing computations and one 
exponentiation in V. One pairing computation can be saved 
by precomputing e (Q ID , P pU b) , if a large number of 

20 verifications are to be performed for the same identity. 
The signature includes an element in G and an element in V. 
In practice, the size of the element in G(elliptic curve 
group or hyperelliptic curve Jacobians) can be reduced by 
using compression techniques. 

25 The above-described system for generating and 

verifying an ID-based blind signature by using bilinear 
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parings in accordance with the present invention may reduce 
the amount of computing time and storage and simplify the 
key management procedures because processes needed in the 
certificate-based public key setting, i.e., transmission of 
5 certificates, verification of certificates and the like, are 
not needed. 

While the invention has been shown and described with 
respect to the preferred embodiments, it will be understood 
by those skilled in the art that various changes and 
10 modifications may be made without departing from the spirit 
and scope of the invention as defined in the following 
claims . 
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